Accepts encrypted client requests from Password Policy Enforcer v9.x clients. Responses to
encrypted requests are also encrypted.
A new Compromised rule to reject passwords from prior security breaches. See the
Compromised Rule
topic for additional information.
The History rule can use a more secure hash function called Argon2. See the
History Rule
topic for additional information.
Can log an event when passwords are rejected. See the
Policy Properties
topic for additional information.
Can be configured to only accept encrypted client requests. Enabled by default for new
configurations, but not when upgrading from an older version. See the
Policy Properties
topic for additional information.
Can enforce domain password policies on pure IPv6 networks
No longer backwards compatible with Password Policy Enforcer v3.x clients
Imports Password Policy Enforcer v8.x configuration settings. See the
Upgrading from v8.x
topic for additional information.
Increased maximum age to five years. See the
Improved file selection dialog default folder behavior and allow selection of read-only files.
Depreciated the exactly 7 or 14 characters Length rule option. This option is hidden unless it is
currently selected. See the
Length Rule
topic for additional information.
Now compatible with Windows 10 and Windows Server 2016
Hides non-essential user interface elements on the Windows 10 Change Password screen to increase
the space available for the Password Policy message. See the
Changing the Default Settings
topic for additional information.
Displays the Password Policy message in a message box on Windows 10 computers with small screens.
The Password policy message box can also be shown on larger screens by changing the default
display settings. See the
Changing the Default Settings
topic for additional information.
Replaces the leading minus sign in the Password Policy and Rejection Reason messages with a bullet
character on Windows Vista and later
Uses a new communications library with better performance and more options
Improved compatibility with third-party credential providers
Added a parameter to the Client API to differentiate between password changes and password resets
The Maximum Age rule can delay the expiry of passwords that exceed a certain length to encourage
the use of longer passwords. See the
Maximum Age Rule
topic for additional information.
A new Character Pattern rule detects patterns like abcde and 12345. See the
Character Pattern Rule
topic for additional information.
A new Repeating Pattern rule detects password like Passw0rdPassw0rd and P@ssw0Password. This stops
users from using repetition to increase the length of a short password. See the
Repeating Pattern Rule
topic for additional information.
A second Dictionary rule has been added to allow for more flexible detection of dictionary words.
See the
Dictionary Rule
topic for additional information. The second rile can be used with different settings and it can
remain enabled if the first Dictionary rule is disabled for passphrases. See the
Passphrases
topic for additional information. This can be used to relax requirements for passphrases without
totally disabling dictionary checking.
A new Custom Character rule without a predefined character set allows custom character sets to be
used without overwriting one of the default character sets. See the
Character Rules
topic for additional information.
Now compatible with Windows 8.1 and Windows Server 2012 R2
Added support for local password policies. See the
Domain and Local Policies
topic for additional information.
The dictionary file and password synchronization script paths can now contain environment
variables. See the
Dictionary Rule
and
Policy Properties
topics for additional information.
Now compatible with Windows 8.1 and Windows Server 2021 R2
Improved compatibility with third-party credential providers
Displays a diagnostic message if the Password Policy Server does not respond to a request. This is
likely to happen if a domain controller is not running Password Policy Enforcer or if a firewall
is blocking access to the PPS port.
Imports Password Policy Enforcer v6.x configuration settings. See the
Upgrading from v6.x
topic for additional information.
Option to mask passwords when testing policies. See the
Testing Policies
topic for additional information.
Improved dictionary file sorting performance by up to 400%. See the
Dictionary Rule
topic for additional information.
Improved performance when opening the Policy Properties page for polices where all assignments are
by container. See the
Policy Properties
and
Assigning Policies to Users
topics for additional information.
A /test parameter has been added to test the Password Policy Enforcer Mailer's delivery options.
It sends a test e-mail to the mail server or pickup folder. See the
Command Line Interface
and
Email Delivery Options
topics for additional information.
The e-mail body filename can now contain environment variables. See the
Email Message Options
topic for additional information.
The Password Policy Enforcer Client installer now attempts to complete the installation without
restarting Windows on Windows Vista and later
The Quickstart Wizard Express Setup option now allows you to choose which component(s) to install.
See
theManual Installation (Express Setup)
topic for additional information.
The Quickstart Wizard now displays a warning message if run on an unsupported Windows version.
A new History rule similar to Windows History rule. Password Policy Enforcer's History rule can
enforce different history requirements for each Password Policy Enforcer policy. This rule can
stop password reuse for a specified number of days, or a specified number of password changes. See
the
History Rule
topic for additional information.
The Maximum Age rule has been redesigned to reduce the likelihood of a user being allowed to logon
on the day their password expires, and then being denied access to some network resources some
time after logon. See the
Maximum Age Rule
topic for additional information.
Password Policy Enforcer can disable some rules when a user enters a passphrase (long password).
This allows you to enforce a complex password policy while still encouraging users to use
passphrases. See the
Passphrases
topic for additional information.
Now compatible with Windows 7 (x86 and x64 editions) as well as Windows Server 2008 R2.
The Password Policy Enforcer Client API is now included with the Password Policy Client. Send and
email to support@netwrix.com if you would like to enforce Password Policy Enforcer's password
policies from your own applications. See the
Password Policy Client
topic for additional information.
The Password Policy Enforcer Mailer reminds users to change their password by sending them e-mail
reminders before their password's expiry date. See the
Mailer
topic for additional information.
Random verification codes can be sent to users by e-mail and SMS. Users must enter the code to
reset their password or unlock their account. Verification codes can be used for two-factor
authentication, or to authenticate users that have not enrolled (automatic enrollment). See the
Verification Tab
topic for more information.
The database can be moved to SQL Server for better security, fault tolerance, and accessibility.
See the
Moving to SQL Server
topic for more information.
Users are automatically deleted from the database approximately one week after they are deleted
from Active Directory. See the
Deleting Users
topic for more information.
Can enforce the Active Directory password history and minimum age policies for password resets.
See the
Reset Policies
topic for more information.
Improved handling of password changes across domains and forests.
More secure enrollment record format. APR V2 records are upgraded to the new format when the
system maintenance task runs at 1:00 AM.
More secure communication protocol. The updated protocol uses 2048-bit RSA keys, has better error
detection, and uses fewer CPU cycles.
E-mail alerts are sent in the user's preferred language if possible. The preferred language is set
after a successful enroll, reset, unlock, or change. See the
Triggers
topic for more information.
Can send all Password Policy Enforcer queries to a specific Password Policy Server. See the
Netwrix Password Policy Enforcer
topic for more information.
Default database updated to SQL Server Compact 4.0 SP1. See the
Working with the Database
topic for more information.
Improved multithreading performance when querying the database.
Replaced the 32-bit Password Reset Server service with a 64-bit version.
REST API to remind (or require) users to enroll. See the
Persuading Users to Enroll
topic for more information.
Page content and layout changes for small mobile phone screens. See the
Responsive Content
topic for more information.
Icons are in Scalable Vector Graphics (SVG) format. These look sharper when resized, and make it
easy to change the color scheme. See the
Change Icon Colors
topic for more information.
Improved encryption of temporary data.
Improved handling of e-mail addresses with unusual characters.
Updated response headers to improve compatibility with some browsers, and to reduce the likelihood
of user-submitted information being cached.
Answer fields are masked during Reset and Unlock.
Performance improvements to the page generator and request parser.